petiepooo/after.rules.salt.patch

## after.rules.salt.patch
--- after.rules.orig	2016-06-30 14:56:53.155072361 -0500
+++ after.rules	2016-06-30 14:38:06.839093867 -0500
@@ -15,6 +15,9 @@
 :ufw-after-forward - [0:0]
 # End required lines

+### add salt-stack knocking chains
+:salt-new-conn - [0:0]
+
 # don't log noisy services by default
 -A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
 -A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
@@ -26,5 +29,22 @@
 # don't log noisy broadcast
 -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

+### add salt-stack knocking rules
+### accept all connections if there's been an accepted connection within the last day
+-A salt-new-conn -m recent --update --rsource --name salt-allow --seconds 86400 --hitcount 1 -j ACCEPT
+### new connections start with 4506, if we're knocking on 4505, return and let default rules log and drop
+-A salt-new-conn -p tcp --dport 4505 -j RETURN
+### add/update the knock record and log that we got a knock (--set always returns success)
+-A salt-new-conn -m recent --set  --rsource --name salt-knock -j LOG --log-prefix "[UFW SALT KNOCK] " -m limit --limit 3/min --limit-burst 10
+### ! rcheck if we've recorded 3 knocks in the last 5 seconds. if NOT, just drop (no need to log as we just did that)
+-A salt-new-conn -m recent ! --rcheck --rsource --name salt-knock --seconds 5 --hitcount 3 -j DROP
+### now we have seen enough knocks, remove the knock records for that IP and log that we're adding an allow record (both actions are optional)
+-A salt-new-conn -m recent --remove --rsource --name salt-knock -j LOG --log-prefix "[UFW SALT ALLOW] " -m limit --limit 3/min --limit-burst 10
+### add the allow record and accept the packet
+-A salt-new-conn -m recent --set --rsource --name salt-allow -j ACCEPT
+
+## add an after input rule to send all salt traffic to the knocking rule chain
+-A ufw-after-input -p tcp -m state --state NEW -m multiport --dports 4505,4506 -j salt-new-conn
+
 # don't delete the 'COMMIT' line or these rules won't be processed
 COMMIT
	--- after.rules.orig 2016-06-30 14:56:53.155072361 -0500
	+++ after.rules 2016-06-30 14:38:06.839093867 -0500
	@@ -15,6 +15,9 @@
	:ufw-after-forward - [0:0]
	# End required lines

	+### add salt-stack knocking chains
	+:salt-new-conn - [0:0]
	+
	# don't log noisy services by default
	-A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input
	-A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input
	@@ -26,5 +29,22 @@
	# don't log noisy broadcast
	-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

	+### add salt-stack knocking rules
	+### accept all connections if there's been an accepted connection within the last day
	+-A salt-new-conn -m recent --update --rsource --name salt-allow --seconds 86400 --hitcount 1 -j ACCEPT
	+### new connections start with 4506, if we're knocking on 4505, return and let default rules log and drop
	+-A salt-new-conn -p tcp --dport 4505 -j RETURN
	+### add/update the knock record and log that we got a knock (--set always returns success)
	+-A salt-new-conn -m recent --set --rsource --name salt-knock -j LOG --log-prefix "[UFW SALT KNOCK] " -m limit --limit 3/min --limit-burst 10
	+### ! rcheck if we've recorded 3 knocks in the last 5 seconds. if NOT, just drop (no need to log as we just did that)
	+-A salt-new-conn -m recent ! --rcheck --rsource --name salt-knock --seconds 5 --hitcount 3 -j DROP
	+### now we have seen enough knocks, remove the knock records for that IP and log that we're adding an allow record (both actions are optional)
	+-A salt-new-conn -m recent --remove --rsource --name salt-knock -j LOG --log-prefix "[UFW SALT ALLOW] " -m limit --limit 3/min --limit-burst 10
	+### add the allow record and accept the packet
	+-A salt-new-conn -m recent --set --rsource --name salt-allow -j ACCEPT
	+
	+## add an after input rule to send all salt traffic to the knocking rule chain
	+-A ufw-after-input -p tcp -m state --state NEW -m multiport --dports 4505,4506 -j salt-new-conn
	+
	# don't delete the 'COMMIT' line or these rules won't be processed
	COMMIT